[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

TagScanner v5.1 - Stack Buffer Overflow Vulnerability



Title:
======
TagScanner v5.1 - Stack Buffer Overflow Vulnerability


Date:
=====
2013-01-22


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=831


VL-ID:
=====
831


Common Vulnerability Scoring System:
====================================
6.4


Introduction:
=============
TagScanner is a multifunction program for organizing and managing your music 
collection. It can edit tags of mostly state-of-the-art 
audio formats, rename files based on the tag information, generate tag 
information from filenames, and perform any transformations of 
the text from tags and filenames. Also you may get album info via online 
databases like freedb or Amazon. Supports ID3v1, ID3v2, 
Vorbis comments, APEv2, WindowsMedia and MP4(iTunes) tags.

- Rename files based on the tag and file information
- Powerful multiple files tag editor
- Import tag information and album art from online databases like freedb or 
Amazon
- Generate tag information from file/foldernames
- Tag fields formatting and rearrangement
- Words replacement and case conversion from tags and filenames
- Supports MP3, OGG, FLAC, WMA, MPEG-4, Opus, Musepack, Monkey`s Audio, AAC, 
OptimFROG, SPEEX, WavPack, TrueAudio files
- Supports ID3 1.0/1.1/2.2/2.3/2.4 tags, APE v1 and v2 tags, Vorbis Comments, 
WMA tags and MP4(iTunes) metadata
- Supports for embedded lyrics and cover art
- Resize cover art for portable devices on the fly
- TAGs versions conversions
- Quick playlists creation
- Export information to HTML, XML CSV or any user-defined format
- Full support for Unicode
- Multilanguage interface
- Built-in multiformat player

Powerful TAG editor with batch functions and special features. Playlist maker 
with ability to export playlists to HTML or Excel. 
Easy-to-use interface. Built-in player.

(Copy of the Vendor Homepage: http://www.xdlab.ru/ )


Abstract:
=========
The Vulnerability Laboratory Research Team discovered a local stack buffer 
overflow vulnerability in the Yandex xdLab TagScanner v5.1 software.


Report-Timeline:
================
2013-01-22:     Public Disclosure


Status:
========
Published


Affected Products:
==================
Yandex - XDLab
Product: TagScanner 5.1


Exploitation-Technique:
=======================
Local


Severity:
=========
High


Details:
========
A local stack buffer overflow vulnerability is detected in the official Yandex 
xdLab TagScanner v5.1 software. 
The buffer overflow occurs when data written to a buffer, due to insufficient 
bounds checking, corrupts data values 
in memory addresses adjacent to the allocated buffer.

The vulnerability is located in the `rename` module of the software when 
processing to load the `rename folder by tag` 
function as listing. Local attackers can use the `Edit template` function of 
the rename module to overflow the memory 
when processing to (buffer) list the inserted context (large). When the victim 
is processing to click with another system 
user account the syncronized software context and clicks on the rename function 
for the tag listing the overflow occurs.
The vulnerable add input parameters to exploit the local vulnerability are 
`Custom Genres` & `Templates for Foldernames`.

The vulnerability can be exploited by privileged system user accounts with low 
or medium required user interaction.
Successful exploitation of the buffer overflow vulnerability results in 
overruns of the buffer(s) boundary and overwrites adjacent memory.

Vulnerable Module(s):
                                [+] Rename Folder by TAG - Genres and Templates

Vulnerable Parameter(s):
                                [+] Custom Genres - Add
                                [+] Templates for Folderanmes - Add

Affected Module(s):
                                [+] Rename Folder by TAG - TAG Listing 
(Component)


Proof of Concept:
=================
The vulnerability can be exploited by local attackers with privileged system 
user account and medium required user interaction. For demonstration or 
reproduce ...

Manually steps to reproduce ...

1.   Download the TagScanner v5.1 software of the yandex dxlab
2.   Start the software and include any random track from your hd to the main 
listing
3.   Click (Right) with the mouse on the listed track and open the rename 
folder by tag main function
4.   Click  ... > Edit templates
5.   Open the Genres and Templates section in the module
6.   Now choose one of the add function and click on + (Custom Genres or 
Templates for Foldernames)
7.   Start your fuzzer to process the request or include manually a large 
string (x bytes) since the block is empty
8.   Save it by opening the big black arrow (Left|Top) in the menu
9.   Choose the track by an easy click, click with right mouse button again and 
open the rename folder by tag listing
10. The software will crash the and the overflow with the ability to overwrite 
occurs


--- Debug Logs (Exception) ---

(13e8.11dc): AV - code c0000005 (first chance)
eax=00000000 ebx=00000000 ecx=00410041 edx=779cb46d esi=00000000 edi=00000000
eip=41414141 esp=0018ea90 ebp=0018eab0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
Tagscan+0x10041:
41414141 0000            add     byte ptr [eax],al          ds:002b:00000000=??
0:000> !exchain
0018eaa4: ntdll!LdrRemoveLoadAsDataTable+d64 (779cb46d)
0018eed0: Tagscan+14420 (00414420)
0018eef0: Tagscan+1ead78 (005ead78)
0018f154: Tagscan+10041 (41414141)
Invalid exception stack at 41414141
0:000> u
Tagscan+0x10041:
41414141 0000            add     byte ptr [eax],al
00410043 00ac0041000000  add     byte ptr [eax+eax+41h],ch
0041004a 0000            add     byte ptr [eax],al
0041004c 0000            add     byte ptr [eax],al
0041004e 0000            add     byte ptr [eax],al
00410050 0000            add     byte ptr [eax],al
00410052 0000            add     byte ptr [eax],al
00410054 94              xchg    eax,esp
0:000> a
41414141

--- APPCrash Logs ---
EventType=APPCRASH (BEX)
EventTime=130029411726060019
ReportType=2
Consent=1
ReportIdentifier=ddec5c9b-6102-11e2-adfe-efaefe8363dd
IntegratorReportIdentifier=ddec5c9a-6102-11e2-adfe-efaefe8363dd
WOW64=1
Response.type=4
Sig[0].Name=Anwendungsname
Sig[0].Value=Tagscan.exe
Sig[1].Name=Anwendungsversion
Sig[1].Value=5.1.6.30
Sig[2].Name=Anwendungszeitstempel
Sig[2].Value=50f57b7e
Sig[3].Name=Fehlermodulname
Sig[3].Value=Tagscan.exe
Sig[4].Name=Fehlermodulversion
Sig[4].Value=5.1.6.30
Sig[5].Name=Fehlermodulzeitstempel
Sig[5].Value=50f57b7e
Sig[6].Name=Ausnahmecode
Sig[6].Value=c0000005
Sig[7].Name=Ausnahmeoffset
Sig[7].Value=41414141
DynamicSig[1].Name=Betriebsystemversion
DynamicSig[1].Value=6.1.7601.2.1.0.768.3
DynamicSig[2].Name=Gebietsschema-ID
DynamicSig[2].Value=1031
DynamicSig[22].Name=Zusatzinformation 1
DynamicSig[22].Value=c9ed
DynamicSig[23].Name=Zusatzinformation 2
DynamicSig[23].Value=c9ed9ec450d4be6144400a9541f5eddb
DynamicSig[24].Name=Zusatzinformation 3
DynamicSig[24].Value=04ae
DynamicSig[25].Name=Zusatzinformation 4
DynamicSig[25].Value=04ae339f4a83b6a3d3bf04a428f6874f
UI[2]=C:\Program Files (x86)\TagScanner\Tagscan.exe
UI[3]=Ultimate TagScanner funktioniert nicht mehr
UI[4]=Windows kann online nach einer Lösung für das Problem suchen.
UI[5]=Online nach einer Lösung suchen und das Programm schließen
UI[6]=Später online nach einer Lösung suchen und das Programm schließen
UI[7]=Programm schließen
LoadedModule[0]=C:\Program Files (x86)\TagScanner\Tagscan.exe
LoadedModule[62]=C:\Program Files (x86)\TagScanner\plugins\bass_aac.dll
LoadedModule[63]=C:\Program Files (x86)\TagScanner\plugins\bass_alac.dll
LoadedModule[64]=C:\Program Files (x86)\TagScanner\plugins\bass_ape.dll
LoadedModule[65]=C:\Program Files (x86)\TagScanner\plugins\bass_mpc.dll
LoadedModule[66]=C:\Program Files (x86)\TagScanner\plugins\bass_ofr.dll
LoadedModule[67]=C:\Program Files (x86)\TagScanner\OptimFROG.dll
LoadedModule[68]=C:\Program Files (x86)\TagScanner\plugins\bass_spx.dll
LoadedModule[69]=C:\Program Files (x86)\TagScanner\plugins\bass_tta.dll
LoadedModule[70]=C:\Program Files (x86)\TagScanner\plugins\bass_wv.dll
LoadedModule[71]=C:\Program Files (x86)\TagScanner\plugins\bassflac.dll
LoadedModule[72]=C:\Program Files (x86)\TagScanner\plugins\basswma.dll
LoadedModule[73]=C:\Program Files (x86)\TagScanner\plugins\bassopus.dll
LoadedModule[74]=C:\Windows\system32\mswsock.dll
LoadedModule[75]=C:\Windows\System32\wshtcpip.dll
LoadedModule[76]=C:\Windows\system32\DNSAPI.dll
LoadedModule[77]=C:\Program Files (x86)\Bonjour\mdnsNSP.dll
LoadedModule[78]=C:\Windows\system32\Iphlpapi.DLL
LoadedModule[79]=C:\Windows\system32\WINNSI.DLL
LoadedModule[80]=C:\Windows\system32\rasadhlp.dll
LoadedModule[81]=C:\Windows\System32\wship6.dll
LoadedModule[82]=C:\Windows\system32\avrt.dll
FriendlyEventName=Nicht mehr funktionsfähig
ConsentKey=APPCRASH
AppName=Ultimate TagScanner
AppPath=C:\Program Files (x86)\TagScanner\Tagscan.exe


Solution:
=========
The vulnerability can be patched by a restriction of the input fields when 
processing to load the rename folder by tag listing.



Risk:
=====
The security risk of the local buffer overflow vulnerability is estimated as 
high(-).


Credits:
========
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri 
(bkm@xxxxxxxxxxxxxxxxxxxxx)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.vulnerability-lab.com/register
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - support@xxxxxxxxxxxxxxxxxxxxx 
               - research@xxxxxxxxxxxxxxxxxxxxx
Section:    video.vulnerability-lab.com         - forum.vulnerability-lab.com   
               - news.vulnerability-lab.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
support@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

                                        Copyright © 2013 | Vulnerability 
Laboratory

-- 
VULNERABILITY RESEARCH LABORATORY
LABORATORY RESEARCH TEAM
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx